Prevention mechanism against occupational fraud: the
perception of employees and managers
by
Jelmer Schepers
Master Business Administration Organizational & Management Control
18 June 2016 Words: 14.882 Supervisor: Dr. S. Girdhar s.girdhar@rug.nl Co-assessor: Dr. B. Crom b.crom@rug.nl Korreweg 212 9715 AM Groningen 06 57 77 98 51 j.schepers.3@student.rug.nl studentnumber: 2808048
2 | P a g e
Abstract
During recent years, fraud examination has gained a considerable amount of attention in the organisational setting. Organizations lose 5% on occupational fraud per year and fraud prevention plays an important role in this to decrease this percentage. The purpose of this study is to examine which mechanisms companies use to prevent occupational fraud and how managers and employees perceive the effectiveness of these mechanisms as previous done literature did not describe what the perception of employees is about prevention mechanism. A case study is conducted with 8 in-depth interviews in a consultancy engineering firm. The most striking findings are that employees perceived training and an update of the code of conduct as an effective prevention methods where managers did not see it necessary to train employees when fraud is not seen as a threat because it is too costly. Managers rely on intangible prevention tools if fraud is not seen as a threat which is built on an advice of the internal and external auditor. This thesis extends prior research to prevention mechanism to fraud and can assist managers, internal auditors and external auditors to implement effective prevention mechanism to fraud.
Keywords
Fraud, prevention, manager(s), employee(s) Supervisor
3 | P a g e
Table of Content
1 Introduction ... 4 2 Theoretical background ... 6 2.1 Occupational Fraud ... 6 2.2 Prevention mechanism ... 72.3 Management Antifraud Programs and Controls ... 9
2.3.1 Creating a culture of honesty and high ethics ... 9
2.3.2 Evaluating antifraud processes and controls ... 11
2.3.3Developing an appropriate oversight process ... 12
3 Methodology ... 13
3.1 Research context ... 13
3.2 Research method and process ... 13
3.3 Quality criteria ... 15
4 Results ... 16
4.1 Fraud ... 16
4.2 Management antifraud programs and controls ... 18
4.2.1 Creating a culture of Honesty and High Ethics ... 18
4.2.2 Evaluating antifraud processes and control ... 26
4.2.3 Developing an appropriate oversight process ... 32
5 Discussion ... 34
6 Conclusion ... 37
6.1 Theoretical and Managerial Implications ... 37
6.2 Limitations ... 37
6.3 Future research ... 38
References ... 38
4 | P a g e
1 Introduction
During recent years, fraud examination has gained a considerable amount of attention in the organisational setting (Ashforth and Anand, 2003; Collins et al., 2009; Palmer, 2008; Zahra et al., 2005), particularly due to corporate financial accounting scandals in the past (e.g. Enron, Worldcom, Tyco, Saytam). According to a report from the Association of Certified Fraud Examiners (ACFE, 2014) organizations lose five percent of revenue due to occupational fraud per year. Occupational fraud is defined as: ’the use of one’s occupation for personal enrichment through the deliberate misuse or
misapplication of the employing organization’s resources or assets’’ (ACFE, 2012, p. 6). This translates
to a fraud loss of nearly $3.7 trillion. In addition, the damage inflicted by fraud goes beyond direct monetary loss. Collateral damage may include harm to external business relationships, employee morale, firm reputation and branding (PriceWaterhouseCoopers (PWC), 2014). Despite the development of several handbooks about fraud deterrence and prevention (Cendrowski, Petro, Martin, 2007; Wells, 2011; ACFE, 2014), there is not enough control to assure safety against fraud (Wells, 2011). Therefore, many entities are trying new and different steps to combat fraud (KPMG Forensic, 2003; PWC, 2003).
To prevent against fraud, an organization should begin with a holistic understanding of the economic crime risk, from that position, an organization can create an effective program that mitigates those risks. The research discovered that 22% of the organizations have not carried out a fraud risk assessment, while the research discovered that risk is increasing. The people, culture and values of an organization are described as the first line of defence. The research of PriceWaterhouseCoopers (2016) described a difference in the perception of the CEO’s and the managers. This is shown as 90% of the CEOs felt values were clear and understood, where this has been reduced to 84% at the level of managers. This can be seen as a gap between the perception of CEOs and of managers, hence this is where unethical activities can spring. It is interesting to know if the perception on a lower level – between management and employee – also differs, where more unethical activities can spring.
5 | P a g e
A search of literature revealed few studies who focused on prevention mechanism and most of the research that is done is conducted by professional organizations (ACFE, 2016; PricewaterhouseCoopers, 2016). Furthermore, the ongoing growth in fraud cases (ACFE, 2012; E&Y, 2012; KPMG, 2012; PwC, 2012) indicates there is a strong need for research, that will better enable managers and internal auditors to prevent potential fraud (Bierstaker et al., 2006). Although prior research has focused on the reason why people in an organization commit fraud (Buckhoff, 2001; Dorminey et al., 2012) and focused on effective prevention methods by the perception of the internal/external audit function (Bierstaker et al., 2006, KPMG, 2008) the employees act as a backbone in the organization and this study should give a contribution to the employee understanding towards the several types of fraud prevention strategies.
Thus, the purpose of this study is to analyze and understand the employees’ and managers’ perception of the innumerable techniques used to combat fraud. Furthermore, it sheds light on whether the techniques actually used by the firm are considered the most effective and offer suggestions to other organizations as to which prevention techniques are helpful or could complement their current activities. It could benefit to reduce the time spent on the use of ineffective techniques and reduction of fraud risk through earlier implementation of more effective fraud prevention techniques (Bierstaker et al., 2006). By exploring this phenomenon, we can make a contribution to the literature on the perception from the employees’ and the managers regarding the effective prevention methods.
The central research question of this paper is:
Which mechanisms do companies use to prevent occupational fraud and how do managers and employees perceive the effectiveness of these mechanism?
6 | P a g e
2 Theoretical background
In this section the different subjects of this research will be explained by means of a literature review. First the research about occupational fraud is described and thereafter the prevention mechanisms for committing occupational fraud are explored.
2.1 Occupational Fraud
The Association of Certified Fraud Examiners (ACFE) defines occupational fraud as: ‘’the use of one’s
occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets’’ (ACFE, 2012, p. 6). Occupational fraud is, therefore, very broad,
and it encompasses a range of transgressions by employees at all levels of an organizational hierarchy. Three main categories of fraud were included (Wells, 2011; ACFE, 2016) and each of these contains specific types of occupational fraud that occur within an organization. Asset misappropriations is one of the three types and involved theft or misuse of an organization’s assets. Asset misappropriation could be divided within cash, inventory and all other assets. Examples of cash asset misappropriations are; theft of cash on hand, theft of cash receipts and fraudulent disbursements. Fraudulent activities in inventory can be divided between misuse and larceny. For all subtopics, there are different examples which can be found in the Fraud Tree from the ACFE (2016).
Surveys conducted by the ACFE (2016) have shown that asset misappropriation was by far, the most common form of occupational fraud, with an percentage of 83 percent. The survey also showed that it had the smallest median loss, with a value of $125.000. There are relatively few historical studies in the area of asset misappropriation, as most academic fraud studies have focused on financial statement fraud. This is not surprising as this form of fraud is the most expensive with a median loss of $ 975.000 per case (ACFE, 2016). Much of the research that exist is done by professional organizations such as PWC, KPMG, the Association of Certified Fraud Examiners (KPMG, 2006; PricewaterhouseCoopers, 2016) or J.T. Wells, who is the founder of the ACFE. Cressey’s (1950) fraud triangle theory could be used to better understand the motivations for asset misappropriation. This theory provides valuable insights into why people commit fraud. The three key elements of the fraud triangle theory are pressure (an un-shareable need), rationalization (of personal ethics) and opportunity (lack of adequate controls and knowledge to commit a fraud). All three must be present for fraud to be perpetrated (Cressey, 1950).
Corruption is the second category in occupational fraud and could be defined as: ‘A scheme
in which an employee misuses his or her influence in a business transaction in a way that violates his or her duty to the employer in order to gain a direct or indirect benefit’ (ACFE, 2016). Corruption
7 | P a g e
et al. 2015; ACFE, 2016). Conflicts of interest, bribery, illegal gratuities and economic extortion are subcategories of corruption. Ashforth and Anand (2003) developed a model that explains how corruption becomes normalized in an organization. They argued that three mutually reinforcing processes underlie normalization: institutionalization, rationalization and socialization. Furthermore, Collins et al. (2009) studied why firms engage in corruption from a top management perspective. They found that if firms have social ties with government officials, their firms are more likely to engage in corruption. The executives are likely to rationalize engaging in corruption as a necessity for being competitive. Organizations have high losses due to corruption.
Financial statement fraud is the third main category of occupational fraud. According to ACFE (2016) it is defined as ‘A scheme in which an employee intentionally causes a misstatement or
omission of material information in the organization’s financial reports (e.g., recording fictitious revenues, understating reported expenses, or artificially inflating reported assets). Financial
statement fraud occurs in less than 10% of the cases researched by the ACFE (2016) but with a median loss of $ 975.000. Rezaee (2002) found that financial statement fraud has cost investors more than $ 500 billion during the past several years and summarized a sample of the most recent high profile financial statement fraud cases. Beasly (1996) examined the relation between board of director composition and the occurrence of financial statement fraud. He found that a larger proportion of outside members on the board of directors will reduce the likelihood of financial statement fraud.
There is an important aspect that is missing, this is the recent trends in occupational fraud. Hofmann (2013) and PriceWaterhouseCoopers (2016) found three important trends. The first being the amount of criminal activities by women has significantly increased. The second as the upcoming occurrences of cybercrime, and thirdly there are the cases of theft through the economic crisis. To effectively detect and prevent fraud, one must first understand what motivates people to commit fraud. The fraud triangle theory of Cressey (1950) can help to understand this fact. Seven in ten organizations believe that opportunity is the main driver of occupational fraud (PriceWaterhouseCoopers, 2016). Prevention mechanism can help to reduce these opportunities.
2.2 Prevention mechanism
Since everyone loses, once occupational fraud has occurred, organizations could save large amounts of money through fraud prevention. A passive approach to prevent occupational fraud is a recipe for disaster (PWC, 2016). Biegelman and Bartow (2012, p.28) described fraud prevention as the following: ‘’It requires a system of rules, which, in their aggregate, minimize the likelihood of fraud
occurring while maximizing the possibility detecting any fraudulent activity that may transpire’’.
8 | P a g e
defence and interventionist methods. The Sarbanes-Oxley Act (SOX, 2002) is an example of a punitive prevention method. Defence methods concentrate on limiting the opportunity, such as the implementation of an internal control system. The interventionist method assumes that ‘‘crime
rates can be reduced significantly only by determining the conditions that produce them and then changing those conditions’’ (Sutherland et al., 1992, p. 574). Albrecht et al. (2008) describe the major
elements of fraud prevention as: creating a culture of honesty, openness and assistance for all employees and eliminating opportunities for fraud to occur. One of the elements is the development of an internal control system. Other parties, such as the ACFE (2016), describe prevention mechanism as anti-fraud controls. In this case, the mechanisms sometimes work as a prevention method and a detection mechanism when combined: a hotline could deter people to engage in fraud, but if someone acts as a whistle-blower, it is used as a detection mechanism (Rahman & Anwar, 2014). This could create some confusion, even as some studies use the word system, other the word strategy, and yet other the term mechanism or tool to prevent fraud.
9 | P a g e
training. This indicates that organizations do not use a pro-active approach, but react when fraud occurs. It could be a strategic miscalculation to not invest in compliance programs.
Furthermore, PricewaterhouseCoopers (2016) described a perception gap between what CEOs, boards and middle managers think about the effectiveness of a compliance program. An effective ethics and compliance program should focus on four areas: people and culture, roles and responsibilities, high-risk areas and technology. Besides the research of PricewaterhouseCoopers about CEO and middle managers perception, another approach to fraud prevention is found by Bierstaker et al. (2006). He researched the perception of accountants’ regarding fraud prevention and detection methods. He found that organizations are trying different steps to combat fraud (KPMG, 2003; PWC, 2003). A reason for this could be that, in the past, the organization used a strategy of fraud detection that is not effective. Furthermore, fraud prevention is a better strategy, since it is difficult to recover fraud losses when they are detected (Wells, 2004), which emphasizes the importance of well-developed prevention methods. The introduction of the Sarbanes-Oxley Act in 2002 (SOX) did not contribute in terms of fraud prevention in his eyes, as it focuses more on punishment and accountability and catching perpetrators (Andersen, 2004). Bierstaker et al. (2006) found also that smaller firms appear to be the most reluctant to invest in fraud prevention methods, even though a fraud occurrence may be more costly for small business compared to large ones (Thomas and Gibson, 2003; Association of Certified Fraud Examiners, 2016; Wells, 2003). In this case, it suggests that smaller firms are more vulnerable when fraud occurs, because one occurrence of fraud could lead to bankruptcy. Therefore it is important that they implement a prevention mechanism and that they know which mechanisms are seen as effective and which are not.
The best way to ensure a culture of compliance is through an appropriately designed internal control and antifraud program (Biegelman and Bartow, 2012) which covers all the described prevention mechanisms. The American Institute of Certified Public Accountants’ (AICPA) published a Management Antifraud Programs and Controls Handbook (SAS 99. 86). This is a 14-step program that can be divided into 3 main fraud prevention measures. Those measures are described as follows:
2.3 Management Antifraud Programs and Controls
2.3.1 Creating a culture of honesty and high ethics
Setting the tone at the top
10 | P a g e
committing fraud. One of the most important building blocks is a culture that focuses on a strong value system founded on integrity. Mostly, this value system is covered in the code of conduct from an organization. The National Commission on Fraudulent Financial Reporting (Treadway Commission, 1987) suggested that all public companies should establish effective written codes of conduct promoting honourable behaviour by corporations (Rezaee, 2001).
Creating a positive workplace environment
When employees are empowered in an organization and work under well-defined conditions, there is less chance of wrongdoing (Spreitzer and Doneson, 2005). If people feel abused, threatened or ignored, it will create more opportunities for negative behaviour (Caruana, 2001). According to Sims (2002) employees who report high levels of job and organizational satisfaction, are less likely to break ethical rules within an organization. Biegelman (2006) gave examples of some factors that detract from a positive work environment, these are: Unreasonable budget expectations or other financial targets, lack of clear organizational responsibilities and poor communication practices or methods within the organization.
Hiring and promoting appropriate employees
An organization should implement effective policies that minimize the chance of hiring or promoting individuals with low levels of honesty (Biegelman, 2006). Possible examples of activities that could be done involve conducting background investigations, checking education and personal references. Bierstaker et al. (2006) mentioned that organizations should conduct a second reference check after six months as a dismissal from a previous organization can be hard to find after a long time. According to Wells (2011) one of the most important means of fighting fraud is not hiring people with questionable backgrounds. Research in the United States has shown that 70% of people are not always honest and 30% are honest all the time. Every organization thinks that they have hired honest employees, but research suggests this is impossible. When dishonest employees are hired, the best controls will not prevent them from committing fraud (Albrecht et al., 2011).
Training
11 | P a g e
2012). It is therefore important to offer this training to all employees. Employees should be told what fraud is, how fraud hurts the organization, how they should act when they see someone who is committing fraud and they should create examples of possible fraud situations in the organization (ACFE, 2012). The employees should receive this training periodically. Most of the organizations with successful fraud awareness programs have packaged fraud training with other sensitive subjects, such as employee safety or discrimination (Albrecht et al., 2011).
Confirmation
The management should communicate with their employees that they are accountable to work in line with the code of conduct. Employees should be required to sign a code of conduct at a minimum. A periodic confirmation should be done to make employees aware of their responsibilities (Albrecht et al., 2009). Schwartz (2004) did research on which elements of code content, creation, implementation and administration were important to create an effective code of conduct. Companies should provide examples, employees should be involved in the process of creation, training should employees give the opportunity to ask questions and reinforcement of the code needs to take place.
Discipline
This refers to the way an organization reacts to incidents regarding fraud. Organizations should investigate suspected fraud, then appropriate and consistent actions should be taken against violators and the organization should provide training to refresh the values of the organization (Biegelman, 2006). Carpenter and Reimers (2005) found that a person may be more likely to act unethically if the perceived consequences are small. Therefore, it should not be tolerated but judged (Krummeck, 2000). Demonstrating zero tolerance for unethical and fraudulent behaviour can reduce incidence of fraud (Rezaee, 2005).
2.3.2 Evaluating antifraud processes and controls
Identifying and measuring fraud risks
12 | P a g e
management, internal audit and legal counsel where they ask themselves questions, such as: who is the most likely to commit fraud? Where is it most likely to happen?
Mitigating fraud risks
After a fraud risk assessment is conducted, an organization should reduce or eliminate fraud risks by making changes to the organizations activities and processes. Wolfe and Hermanson (2004) described that a key to mitigating fraud is to focus your attention on situations offering, in addition to incentive and rationalization, the combination of opportunity and capability. The organization should ask the question, if people have the opportunity to create a situation where they could commit fraud? This is highly connected with the previous subject about identifying and measuring fraud risk. The situation that presents an opportunity to commit fraud should be mitigated with a change of process, to prevent future possibilities of fraud (Albrecht et al., 2011).
Implementing and monitoring appropriate internal controls
An organization should have a process in place that evaluates and tests control that can mitigate the identified risks. Therefore, they should know where fraud could occur and how to prevent it. Internal control is seen as a key deterrent of fraud. Rae and Subramaniam (2008) see internal controls as a system that potentially prevents errors and fraud through monitoring and enhancing organizational and financial reporting processes, as well as ensuring compliance with pertinent laws and regulations.
2.3.3Developing an appropriate oversight process
Audit committee or Board of Directors
The audit committee should evaluate management’s identification of fraud risks, implementation of antifraud measures, and creation of the appropriate ‘tone at the top’ (SAS 99. 86). Furthermore, this audit committee should ensure that the management has a pro-active approach with regard to fraud deterrence and prevention measures to protect stakeholders.
Management
13 | P a g e
Internal Auditors
The internal auditors should use their knowledge about the organization to identify where fraud could occur (SAS 99 .86). Internal auditors can act as detection and deterrence mechanisms. We focus on deterrence in this research. Cendrowski (2007) mentioned that the possibility of the internal auditing function to report fraud to management results in a front line of fraud deterrence. James (2003) did research on the structure and function of internal auditing departments. They found that internal audit departments who report to the audit committee are perceived as more able to deter financial statement fraud than internal audit departments who report to senior management, where they conclude that internal audit reporting structure appears to affect user perceptions (James, 2003).
Independent Auditors
The external auditors should assist management and the board of directors with an assessment of the organizations process for identifying, assessing and responding to the risks of fraud. Basically, external auditors are responsible for discovering material misstatements in the financial statements. External financial auditors should ensure that internal controls are effective in preventing financial statement fraud (Rezaee, 2002; Singleton et al., 2002)
Certified Fraud Examiners
Certified fraud examiners may assist the audit committee and board of directors with aspects of the oversight process either directly or as part of a team of internal auditors or independent auditors.
3 Methodology
3.1 Research context
The fundament of this research is a qualitative case study approach to discover the perceptions employees and managers have about prevention mechanism to commit fraud. The case study is conducted at an international firm of consulting engineers who own branches in six western-European countries with over 1,000 employees. The organization supports clients in a responsible way with clear recommendations, which take into account all aspects of their field, such as the environment, safety, energy, water and the living environment.
3.2 Research method and process
14 | P a g e
Bailey, 2011). Therefore semi-structured interviews are appropriate to gain a good understanding of the perception of managers and employees about prevention mechanism. This method is used, because this had proven to ensure the highest validity (Cohen & Crabtree, 2006). Furthermore, although the questions are set up front, the loose and flexible setting left room for new insights (Galletta, 2013). According to Drever (1995), semi-structured interviews also ensure the highest degree of validity, since structured and unstructured interviews have some pitfalls. The interview questions are stated after a considerable investigation of existing literature. Questions about the prevention mechanism are built through the analysis of existing literature regarding prevention mechanisms. The management antifraud programs and controls (Biegelman and Bartow, 2012; SOX, 2002) were used to structure questions to different topics. Furthermore, other papers published by professional organizations such as the ACFE, PricewaterhouseCoopers and KPMG played an important role in the development of the questions.
The data is collected from 8 semi-structured personal interviews (table 1), each of which was approximately 1 hour in length and took place in the headquarters of the Netherlands. Three weeks before the interviews were conducted a meeting with the department manager and an HR advisor took place. This took place to describe the topic of the research, the possible value for the organization and to ensure that there were no surprises during the study as it was a sensitive topic.
Date Interview method Position
19-04-2016 Face to Face Department manager and HR advisor (exploratory conversation) 09-05-2016 Face to Face Business Controller
09-05-2016 Face to Face Department Manager 09-05-2016 Face to Face Department Manager
09-05-2016 Face to Face HR-Manager / member of Board of Directors, (Marketing & Communication Manager)
13-05-2016 Face to Face Project manager 13-05-2016 Face to Face Consultant 13-05-2016 Face to Face Consultant 18-05-2016 Telephone Project manager
15 | P a g e
The interviews started with a short introduction of the topic. The researcher appointed the possibility to the respondents to ask more background information when needed. Thereafter, some general questions were asked about the function of the respondent, the work experience and their educational background. The interview was conducted in Dutch, but the questions are rephrased to English to make it easier to understand. (Appendix I – Interview guide).
The first four interviews were conducted with one HR-staff manager, two department managers and one business controller of the finance department. These were selected to identify which prevention mechanisms are used and why and what their perception about it was. These interviews created a holistic understanding of the organization. Thereafter, the interview scheme is revised, because the obtained data resulted in new insights and the extra questions resulted in added value for the research. According to Eisenhardt (1989), the key feature of theory-building case research is the freedom to make adjustments during the data collection process. With this revised interview scheme, the four interviews with the employees were conducted to deepen and identify their perception about prevention methods. Two employees of each department were questioned to create a cross section of the whole organization. The department managers selected these respondents. I argued in the first conversation at 19 April 2016 that these employees should be representative for the other employees.
After the interviews were conducted, the tape-recorded interviews were written in a transcript. The transcribed data is translated to English and all the answers were structured according to the handbook management antifraud programs and controls handbook (Biegelman and Bartow, 2012; SOX, 2002). The answers were analysed and replaced because answers were given to questions that were asked later in the interview.
3.3 Quality criteria
Quality was an important topic in this case study. Aken et al. (2012) divided these criteria in controllability, reliability and validity to improve the inter-subjectivity agreements of the research results. During the research, process memos or field notes were written about the activities or research activities (Eisenhardt, 1989). These memos are described as precisely as possible with a detailed description which enhances the controllability of the research (Strauss and Corbin, 2007). This description gives other researchers the possibility to replicate the study (Aken, Berends & Bij, 2012).
16 | P a g e
during the interviews. This gave the interviewer the chance to replay the interview and to make a transcript of the recorded data. All interviews were held by the same researcher and the whole study is conducted under supervision of dr. S. Girdhar. Second, this study prevented instrumental bias by the use of multiple research instruments. The researcher used in-depth interviews and analysed documents such as the code of conduct and the corporate brochure of the organization. With the use of multiple research instruments triangulation is reached (Yin, 2003). Triangulation can remedy the specific shortcomings and the bias of the instruments by complementing and correcting each other (Aken et al., 2012). Third, the reliability of the respondents has been increased by conducting interviews in different existing departments of the organization. The department managers tried to select representative employees for the interview. The researcher should have some trust in the managers in this case.
Besides controllability and reliability, this study meets the quality criteria for validity. According to Aken et al. (2012), validity refers to the relationship between a research result or conclusion and the way it has been generated. Research results must be justified by the way they are generated. Yin (1994) mentioned three different types of validity: construct, internal and external. Construct validity is the extent to which a measuring instruments measure what it intends to measure (Aken et al., 2012). Semi-structured interviews were used to cover the theory about the prevention mechanism. All aspects of the research gap were addressed. Internal validity concerns the degree in which conclusions about relationships between phenomena are justified and complete (Aken et al., 2012) The researcher gave only conclusions in case of clear patterns of similar or contradictory results. External validity is the third and last form of validity which means that the results should be highly generalizable. This study focused on one case-study, so it should be recognized that the results and conclusions can only be generalized to a limited extent. The study is done to provide an initial understanding about the perception of employees and managers about prevention mechanism. Besides this, it measured what the underlying motivations were when implementing these systems.
4 Results
4.1 Fraud
17 | P a g e
and a possible difference in perception between managers and employees. Table 1 represents all the results.
Most of the respondents named ‘’Everything what people do what is not in line with the law or the rules of the organization’’, ‘’Theft of the organization’’, ‘’abusing the situation for personal advantage without the fact other people will know it’’ as definitions of fraud. Overall all the respondents concluded fraud as a broad concept that is derived from colleagues, learning on the job or the media. Nobody developed the definition from theory, a book or education.
Almost all of the respondents referred to possible occurrences of fraud in their own organizations, some experienced fraud in the organization, some saw fraud in their past work experience and some saw banking scandals and the cartel fraud of construction organizations. It showed various results. The most mentioned example of fraud in the organization is fraud in an advice report. Employees who consciously write another result, when they actually should write without an objective attitude. An overview is given in table 2.
A disparity about the definition of fraud between the managers and employees did not exist at first. What is interesting is that most of the respondents could not say with certainty that all employees in the organization knew what fraud entails and what it could do to harm the organization. One of the employees said:
Employee: ‘’It is based on feelings, I do not have hard data and I cannot prove it, but I think there is a quiet form of fraud in this case, when you keep things away in this case, I do not think that people
understand this’’.
Some of the respondents found that integrity was close connected with fraud: they think that everyone understands the concept of integrity, because they act as an independent consultancy organization. Two striking results in the perception of employees and managers were the level of experience and the level of work:
Employee: ‘’The longer someone works in the organization, how more you know, you better know the processes and also in regarding to fraud’’
HR manager: ‘’there will be a sliding scale of knowledge in the organization’’.
18 | P a g e
Forms of fraud Total respondents
Embezzling of money 3
Theft of assets 3
Reporting fraud 5
Fraud in financial statements 1
Bribery 2
Hour registration 2
Falsifying amount of driven kilometers 3
Table 2: Examples of fraud and their frequency mentioned by employees
4.2 Management antifraud programs and controls
The interviews resulted in broad range of data. The results are structured based on the handbook that is developed by the American Institute of Certified Public Accountants (2002) as previously described in the theoretical background.
4.2.1 Creating a culture of Honesty and High Ethics Setting tone at the top
The first interviews were done with one HR staff manager, two department managers and one business controller of the organization. The respondents were asked to give examples about prevention mechanisms in the organization. All managers started to describe the code of conduct of the organization and the importance of it. They described that the code of conduct was implemented four years ago and should give guidelines on how to deal with certain situations and is based on the three core values of the organization: integrity, professional and sustainability. That integrity is seen as a core value is described with the following quotes:
HR: ‘’You should look to the good side of human, especially at a consultancy company as ours. I think that there only work people who show integrity’’.
Manager: ‘’If you are looking to our new directress, she is always busy with integrity, we want projects in a honest way. Those are things that you keep in mind and you carry out this philosophy. If
someone in the top is saying something, the rest of the organization will follow. If the managers behind her will follow her perception, it is concluded that this will create a stronger position.’’
19 | P a g e
Employees: ‘’Integrity starts in the directive, it is a top down approach in this case and we are aware of this. I think that they show this very well, she is open in her communication and she did not steer on profit maximization. This could be a reason why we do not fall in these traps, we are more focused
on personal development, that we are staying here, that we show loyalty and have challenges every day, we are not a toy of shareholders’’.
Integrity is shown as an important factor in this case. Moreover, the employee referred to the fact that the directress did not steer on profit maximization. This is in line with Schwartz (2004) who found that management should not state unachievable goals, because this could lead to pressure, which can lead people into committing fraud. The second and third core values were professionalization and sustainability. One employee referred to it in the interviews:
Employee: ‘’People feel connected with the environment and sustainability, therefore they want always deliver high quality what can be seen as a prevention method. It is logic that you do not
commit fraud, because it will have consequences for the environment and sustainability’’.
Overall, employees and other managers experienced that there is no absolute need from the directive or other stakeholders as shareholders to push on financial targets and the communication is described as very open where they show integrity. The employees describe the kind of business with highly educated people as an important factor. They should act professional and should know what is allowed and what is not, which can be related to the second core value. It is the type of organization that prevents them from committing fraud. The ACFE (2016) found indeed that the industry where the organization act is an industry where fraud less occurred compared to governmental or financial organizations. But it cannot be ruled out that it does not occur.
Creating a positive workplace environment
All the managers stated that they think that they have an open organization with a culture where everything can be discussed. The HR manager stated:
HR: ‘’People should feel free to talk about issues and to pillory these issues, there is no system better than this. People should not think that they cannot go to their manager, because their life will be
difficult after it’’.
20 | P a g e
Manager: ‘’When we implemented the new financial system in 2012, everyone thought about it. How should it be set up? And why do you need it? What are the risks? You have people with different opinions. We are good at the organization to solve these problems with each other. Because you buy
something what is not customized for everyone, so it could have some loopholes.’’
Spreitzer and Doneson (2005) mentioned that people do less things wrong when they are involved. These two quotes shows that the organization tried to keep the threshold to pillory something very low to involve the employees. Moreover, the respondents described the organization as an organization with a flat structure where every employee could discuss issues with everyone in the organization: with your direct colleagues, with the project manager, the department manager or the work council. The flat structure is well defined by one of the respondents:
Employee: ‘’The hierarchical structure is only used when it is needed, when we have to make decision, but this is normal. In other moments it is not visible.’’
If the employees have a certain problem it is possible to visit a confidential mediator. But none of the employees knows who this is. A common response is that they can find it on the intranet when they need this person. If they have a serious problem, they mentioned that they expect that they go to their manager, but not to a confidential mediator, because there is no threshold to pillory something. The satisfaction of the employees is tested by performance appraisals. A manager explored:
Manager: ‘’Every employee has three performance appraisals with their manager. The personal situation of an employee is a subject of it. It is a combination between the employee and the
manager, to create a good feeling in this conversation.’’
Employees have different opportunities to talk about their feelings or possible dissatisfaction about their job. In response to this, all the respondents referred to a survey that is held every quarter about employee satisfaction. This is introduced to connect the organization with the employees: are they satisfied and could we increase satisfaction? The results of the survey will be discussed on each department and in a plenary session and if needed it will be discussed personal. One of the managers built a bridge where he now sees this implementation as a prevention mechanism:
Manager: ‘’If people are satisfied, they feel safe and they are satisfied with their rewards and their work. If all those things are regulated in a good way. People will not act in a wrong way in my
21 | P a g e
The assumption of the manager can be connected with the literature of Caruana (2001) and Sims (2002). They found that people who have a high job satisfaction have less motivation to involve themselves in unethical behaviour. This is reinforced by the respondents who stated that their goals are clear and achievable. They have an appointment at the beginning of the year where goals are set up. If they are not achievable, they will discuss it at that moment. Some of the respondents add something to this statement about the goals:
Employees: ‘’I expect that everyone wants more to deliver than the formulated goals. It is a kind of the culture in the organization.’’
People felt very comfortable with the organization where feedback is given at the moment, and not a few weeks later. It is experienced that managers stimulate the employees to give feedback which is another form of involvement described by Spreitzer and Doneson (2005). Overall, the managers and employees described that there are no negative responses to the workplace environment and the answers are unambiguous in a positive way.
Hiring and promoting appropriate employees
The managers who hire new employees described that at least two different people of the organization are involved in the first interview with an applicant. They do this to create many perspectives of an applicant. Fraud is not mentioned in this case, trust is more mentioned and experienced. All the managers responded that they would not go further with an applicant if they do not feel trusted. A check of the curriculum vitae is a starting point, in some cases they check some references but they do it only when they know the person who give the reference:
HR manager: ‘’Mainly, it shows that a reference is not always reliable. You do not know the relationship between the two persons if I call someone from another company where the person
worked. You will never ask someone who gives you a bad reference. Furthermore, if someone is punished for a criminal act and the person has served his sentence and he lost everything: should I
refuse somebody if he expresses his regret? I will not.
The above literature described contradictions with regard to the literature of Wells (2011) where references are seen as a good indication method and that people should not be hired if they have a questionable background. The employees described it from another perspective and mentioned that the type of organization can be seen as a screening device.
22 | P a g e
It was difficult for the employees to answer this question, because they only knew this subject by own experience. Most of the employees have been working for 10 or more years for the organization and forgot how they were hired and do not know how the hiring procedure is set up. They think that it is going well but did not link the hiring procedure to fraud. The employees described that newly hired employee’s work with a probation period to find out if they are able enough to work in the organization and the field workers need a certificate of good conduct before they are allowed to work. This is a required investigation of the government and is a form of background check described by Wells (2011). For other employees in the staff this check is not necessary. If someone wants a promotion in the organization this is based on experience in the organization. Trust is the most important aspect described by the managers and employees.
Training
Fraud is not specifically mentioned in the organization, neither by training. They see fraud as not an immediate threat to the organization. Most of the managers made a comment about it, because it could be that they did not know everything and that they act with a reactive approach as described by PWC (2016):
HR manager: ’’There should be a motive to send everyone on training course and were you are thinking: ok, everyone learns from it. If there is an accident, we react to it, that is how it works in this case. If there were an accident every month, the management would think twice about it and then we
will send every employee on a training.’’
The HR manager mentioned that training is not effective because training costs the organization approximately € 320.000. Either, research conducted by the ACFE (2014) described that antifraud training deterred employees to commit fraud and that 50% of the tips of detection of fraud came from employees. If employees do not know how they should recognize fraud they cannot detect people who commit fraud. Another argument why they did not send the employees on training is the type of organization:
HR manager: ‘’We are a consultancy organization, not a bank, of course we should have mechanism to understand if we are doing well, but this is not relevant at the moment’’.
23 | P a g e
that it is unconsciously interwoven in other training. A project manager mentioned that he asked the employees the following questions on a training a few months ago: do you see what is booked on a project and how are you dealing with it? What can you do to see if it is right? The project manager mentioned that it was not specifically fraud training but it was more about integrity. So, the organization is not consciously training employees, which is stated by a manager with the following quote:
Manager: ‘’I think that it is important to have some knowledge about this subject. What are the opportunities and how can you prevent it? Through this conversation, I am aware of the prevention
mechanism. I was not aware of mechanism to prevent fraud. I expect that we have more fraud prevention mechanism than an average employee should realize. Maybe it is good to sketch this:
‘’This is what we need to prevent us against fraud’’.
The employees commented differently with regard to training. Some employees do not see specific fraud training as an effective way in the future because ‘it is not a big issue’. Other employees describe that it is good to define what fraud is, which kind of fraud could be relevant and to describe this some examples should be used. Training should be given to create some awareness and to emphasize the importance. Some employees found that too much is based on trust. This is different perception compared to the perception of managers who saw it not as an effective manner. Some of the employees want to know more about possible fraud occurrences because they do not know them all. This could be connected to the first results described in this research about the knowledge of fraud and what it actually includes. Nobody could say with certainty that every employee knew what fraud included. According to Biegelman and Bartow (2012) fraud training could help employees to recognize wrongdoings in the organizaiton. On the other hand, employees mentioned that they do not want specific fraud training but that it could be mentioned as part of another training which is also described by Albrecht et al. (2011).
Confirmation
According to the HR directive the goal of the code of conduct is to discuss ethical issues. Signing by employees is perceived as an important step by the implementation of the code of conduct.
HR manager: ‘’People will read it when they are required to sign something, this will make them aware. You can definitely say that with the code of conduct, which is introduced 4 years ago, since that day it has created awareness by people. It has led to greater awareness. Every employee know that we save such a code of conduct. I have not got many reports but 2 á 3 times I got a report where
24 | P a g e
The management argues that the implemented code of conduct created greater awareness. They mention also that that they maybe could do more than only implementing the code of conduct, but this is a consideration. The literature of Albrecht (2009) described that the signing of the code of conduct is a minimum. Schwartz (2004) mentioned that employees should be involved by the implementation, which has not happened here. The HR directors and the managers do not see that things go wrong at the moment, which is the reason why they do not mention integrity and the code of conduct all the time:
HR manager: ‘’I do not want to say that integrity is not important, but you communicate less about it because it happens less. It should be covered in a continuous discussion’’
Either, none of the employees could give concrete examples of the code of conduct when they were asked to tell something about prevention mechanism. They told that they only knew that the code of conduct exists. Opinions about the implementing of the code of conduct differ:
Employee: ‘’I doubt if it is enough to only produce and sign it and thereafter put it away. But it is a personal thing everyone act as a professional’’.
Employees are not trained about the code of conduct while they see it as an effective method. This is also in line with Schwartz (2004). Other employee’s mention that only signing the code of conduct once, had only created some awareness at the moment but that it furthermore acts as a paper tiger. Most of the employees can explain one example, but do not realize what is in the code of conduct and what the reason of implementing it was. It has created a discussion afterwards, but they are not involved before the implementing of it. One employee told me about this discussion:
Employee: ‘’A lot of people discussed this code of conduct because they were saying that it was a little bit patronizing. An employer should not require you how to act. But I find that we are more open since that code of conduct is introduced. People are saying more on the work floor and I see it as a
positive effect because the communication is much better’’.
Most of the employees thought that it can be more effective if they repeat the code of conduct once in a year to create every year some awareness.
Employees: ‘’They could mention one example, they are always talking about safety, but this could be mentioned more often to emphasize the importance. They could also look if the code of conduct is up to date at the moment. The organization is four years further since they implemented it. Refresh and
25 | P a g e
All these quotes of the employees are in line with the study of Schwartz (2004) who described that employees should be involved in the process of creation, that companies should provide examples and that they should give training. This perception showed contradictions with the perception of the managers. They implemented it and did not see reasons why they should do more about it. One employee thought that the code of conduct realized a more open culture; this is questionable, because this argument could involve the opinion of the researcher better divided to the subject ‘workplace environment’.
Discipline
The opinions about it are various. The managers stated that they expect or noticed that a zero policy is maintained if it deals with theft, but in other cases it depends on how serious it is. One respondent of the management answered:
Manager: ‘’In examples with a lease car, it is different, I expect that someone will get a warning. If the law states that someone can be fired, he will be’’.
The HR directive referred in another example to an employee who declared 30/40 euro’s which did not belong to the business but were for personal enrichment. This was two years ago. He was not fired, but if it was an amount of 1000 euro’s he would be fired. This person had psychiatric illnesses and they thought that they were not staying strong for the court if they fired the person. It is not the culture in the organization to fire someone who is in that condition. They gave him a warning. The example described that the organization does not use a zero tolerance policy, otherwise the employee would be fired. It is more important how the employees will perceive the policies of the organizations, because they should be deterred with these policies as described by Rezaee (2005). The employees are unanimously and answered that they expect that someone is fired when he commit fraud.
Employees: ‘’I think that if you do something that is wrong, that could be related to fraud, that you will be fired. We have a level of work and we are known about it in the market. If you make one
mistake, the whole organization is going down and you will lose your credibility’’.
This is reinforced by other employees who referred to an accident in another establishment a few years ago that make people aware of the consequences:
Employees: ‘’Two fieldworkers drilled at one place, they did 10 measurements at the same place. They knew that they were fired, we spoke about it with colleagues and I thought that it was on the
26 | P a g e
The employees felt that they were punished if they commit fraud which is in line with the literature of Carpenter and Reimers (2005) and Krummeck (200) who found that unethical behaviour should not be tolerated but punished. This deterred them to commit fraud and so it can be described as an effective prevention method. Most surprising is the fact that the HR department created a grey area and did not use a straight line in a zero policy while employees have the perception that they will be fired in any case.
4.2.2 Evaluating antifraud processes and control Identifying and measuring fraud risks
All of the respondents, managers and employees, answered that there are not specifically fraud risk assessments. The management noticed that there is no need, because it did not occur in the past so it is not a priority. It is more based on an ad hoc approach as a brainstorm session without a certain checklist. Two managers elaborate on this:
Manager: ‘We are not a bank and we do not have a compliance officer who is full-time being active with this topic. If we expand to another country, we will check if it is political allowed, if there are risks
about corruption, how are people paid over there? We try to expose those risks’’. Manager: We exist for a great percentage as human knowledge and that is our most important capital. Most people are highly educated and we exist for almost 100 years. Through this process you
will grow. You will learn from your mistakes and the faults that you made and the occurrences that happened. And no, we do not have a pro-active approach to fraud, but we keep it in mind.’’
The comments above illustrates that the organization based their risk assessments on their experience and learning on the job approach. This could be effective as studied by Asare and Wright (2004) who found that risk assessments without a checklist were more effective. A comment should be made about this, because the management never had a training about fraud and never used a brainstorm sessions where they ask themselves the question who has the best opportunity to commit fraud as described by Albrecht (2011). One of the respondents gave another where he was critical:
Business Controller: ‘’Sometimes, the management could spend more energy. The company is not always looking behind a new implementation. I have a NS business card. I can travel with it were I want if I am free in the weekend. Nobody can check this. But the NS required us to use this card and
27 | P a g e
This result suggests that the ad hoc approach is not always effective by the perception of the business controller. Employees did not give a contribution to the fraud risk assessment, because they did not know what it encompassed. This could be related to the absence of knowledge that could be increased with a previously described training. Employees will be better to identify risks with this training, because they will know what to look for.
The data of the organization is partly protected by passwords and data does not exist on hardware. Almost all the projects are visible for every employee, also when an employee does not work on a project. If a project is highly secret, in case of a merger of acquisition, a key could be placed on the project by the IT department. But this is not normal in the organization. The HR manager and one employee reacted:
HR manager: ‘’People work on different projects and they should be able to work on a project. It is an open system. We have some discussion about it at the moment where you have only access to a project of you are working on it because there are some risks. But I do not agree with it, you will have to deal with several administrative proceedings. It is an endless discussion which does not fit with our
open culture.’’
Employee: ‘’Yes, I could delete a whole project but there is a back-up. If they see that I deleted it, I will be fired’’.
Risks were identified by the manager and also by the employee. But the employee has the perception that the organization used a zero-tolerance policy which deterred him in every situation to misuse this situation which can be related tot the previous subject ‘discipline’ and the theory (Rezaee, 2005). Another employee praised the mentality and the drive to work together as an important factor to identify risk. They set up a workgroup when a new project starts: what is asked? What is going wrong? How could we improve this? But they do not perceive it as a real risk assessment with a certain checklist which is another confirmation of the used method described by Asare and Wright (2004).
Mitigate fraud risks
28 | P a g e
Managers: ‘’If we do not enrol for a project, it is a conscious choice. I have an example were we were one of the only organizations who could do the job and could earn millions of dollars, but we did not,
because we want to show our integrity and honest.’’
They did not want to participate in this project, because they knew that corruption took place in this country. The managers stated that corruption is a difficult type of fraud to prevent in the organization. The HR manager stated:
HR manager: ‘’How should you prevent it? We do not want to act as a police station. I do not want to check all the calls for example that the person did that day. You cannot know if an employee makes
secret agreements and where he gets bribes for it. We should trust the employees in a certain way and the code of conduct and the culture in the organization should cover this. People are always seeing more as you expect. Furthermore, we do a lot of business with the government. Previously, there was the building fraud. Contractors made some cartels and contractors made agreements with civil servants. But the government intervened this. It is a lot more transparent than before and there are less opportunities to commit fraud. We have found some incidents in the past but I do not think
that this is the top of the iceberg. Fraud has not a broad scope here, so I think that the current prevention methods work well enough.’’
The above answer can be partly related to the study of Collins (2009) who described that social ties with government officials could create opportunities to commit fraud. The government strengthens their control and monitoring on this and the opportunities to commit fraud and make secret agreements decreased. Furthermore, the manager said that people ‘were seeing more as you expect’. But the described results showed that employees did not have knowledge about fraud, why it is questionable if this quote is based on facts.
29 | P a g e
Manager: ‘’I cannot imagine that people are involved in corruption, they are always working in teams of at least two persons and the procurement is never done by one person, it is checked and double
checked, it could only go wrong if two or more people discuss it with each other.’’
One of the employees reacted on this and took this statement in doubt and this person saw possibilities to commit fraud:
Employee: ‘Some colleagues are often working together, if an existing client or organization joins for a new project. The same colleagues will adopt this project. I do not want to say that they are involved
in corruption, but I can imagine that that corruption can occur at such a place’.
The respondent reflects this by saying that there will always be a project manager who checks the project. But there is no rotation on the job as described by the ACFE (2016) that could prevent the organization against this possibility. Segregation of duties and policies on approvals are well defined: Everybody knows what he can sign, on the base of risk but also on the amount of money. Most of the employees mentioned practice examples in the field to describe why risks are mitigated. The employees who has to work with the fieldworkers referred to the required procedures, processes, certificates and the certificate of good conduct by the government. The government required these certificates because there were too many examples of fraud in the past.
Employee: ‘’The Netherlands is a country with a lot of rules, we should deal with standards, institutes and certificates. For every kind of research, there is a certificate. But other organizations are dealing with the same. It ensures that you are integrity in your process and keeps you away from fraud. So we
are not limited by it. It creates opportunities’’
Without such certificates, an employee is not allowed to do soil surveys. Employees know that they will lose their certificate if they commit fraud. Therefore, all the respondents think that this will work as a good prevention method in the field. Otherwise they are losing their job. This is reinforced by another employee:
Employees: ‘’you focus on all the quality criteria in the field, because you know that an external audit from the ministry could take place. The ministry follows us in our work so you are very precisely in all
the procedures and processes.’’
30 | P a g e
inform them about changes. They ensure that fraud opportunities are mitigated. One of the managers had an addition to the influence of all the rules:
Manager: ‘’I think that it is important that an organization tries to reach a certain goal, a certain level. If you require people to follow rules, they will do it. But I think that you should pursuing this goal
by yourself and not by law. Your goal could be higher than law- and regulations. It is good to have some regulations as background, but you should have some opportunities as an organization to
improve yourself. I do not feel pressure from the law.’’
This result can be interwoven with the results of tone at the top. Professionalization is an important driver for the organization, to deliver quality but also as a prevention mechanism to commit fraud. To explore this, an example about the implementation of a new app is given, which was not required from the government, but to show their reliability and this process mitigated fraud risks as described by Albrecht et al. (2011):
Employees: ‘’In the field we notice what we are seeing and nothing else, we have built an app-application by ourselves wherein the data is saved. This data cannot be changed, only by the administrator. If you want to change something, you should prove why you want to change this. This
is the same for a bid. These are always signed by two different people and people work together by one organization. So someone should notice it. That is a reason why people should not commit it. ‘’
In most of the cases the managers and employees referred to corruption. Therefore I told the manager about asset misappropriations, one of the three other main subjects of occupational fraud.
Manager: ‘’People could steal from the company, but it will be difficult to steal physical assets in this organization, because almost everything is digital. For the remaining assets, we have the department
finance which checks and control every single transaction what is known by every employee. They have signed a labour contract for example where stands that kilometres and hours should be filled in
honourable and conscientious.’’
31 | P a g e
mitigate the risk with this process. These accounting organizations check if the numbers are well developed. The business controller stated:
Business controller: ‘’I have the opportunity to engage in fraud, but I protect myself therefore, because I have to make a logbook which will be checked by the accountant. This made me really aware of it’’. In the same breath he added: ‘’I expect that this awareness is lower inside at functions
of other departments. We are more focused at finance, absolutely as a business controller.’’
The above answers describe an ad hoc and a reactive approach to fraud prevention as also is described by PWC (2016). Employees and managers reacted without a conscious answer to fraud prevention mechanism, but reacted by saying what came in their mind. It is more a learning on the job approach. The most important example in this case is the acceptance of new projects. They discuss with each other what could be wrong but they did not use a checklist in this case. The word fraud is never mentioned here and it is questionable if they mitigate all the risks in the organizations because they did not identify all the risks in a pro-active approach which is found in the section before.
Implementing and monitoring appropriate internal control
The third subject of evaluating antifraud processes and controls focused on the implementing of it. Most of the employees felt that they were monitored.
Employees: ‘’There are several checks on several levels to check if everything is done in the right way. A second reader will read our report: is it the truth what is written? Does the report describe all
information we know or is something missing?’’
Employees know that it will be checked if they declare something. They should show a receipt and finance will check it. The salary administrator does a sample if people write the right amount of kilometres. Most of the respondents are aware of this, but an example about the past reflects that it is some grey area. The department of finance found that there were more computer mice bought than flex work places exist. So, there should be stolen some mice. The business controller and an employee reacted on this incident:
Business controller: ‘’People snigger about it, they use it for their work, so they could take it home right? But we put a message on the intranet, I do not know what was actually the result’’ Employee: ‘’People wants their own mouse, because they should have one if they go to a client,
